From 543381a24d5647c2d8b8388029c1a1226d311961 Mon Sep 17 00:00:00 2001
From: Tobias Reich <tobias.reich.ich@gmail.com>
Date: Fri, 25 Apr 2014 10:13:43 +0200
Subject: [PATCH] Verify image with exif_imagetype (#133)

---
 php/modules/Photo.php | 45 +++++++++++++++++++++++++++++++++----------
 1 file changed, 35 insertions(+), 10 deletions(-)

diff --git a/php/modules/Photo.php b/php/modules/Photo.php
index 4a1616a..e2d1155 100755
--- a/php/modules/Photo.php
+++ b/php/modules/Photo.php
@@ -14,6 +14,18 @@ class Photo extends Module {
 	private $settings	= null;
 	private $photoIDs	= null;
 
+	private $allowedTypes = [
+		IMAGETYPE_JPEG,
+		IMAGETYPE_GIF,
+		IMAGETYPE_PNG
+	];
+	private $validExtensions = [
+		'.jpg',
+		'.jpeg',
+		'.png',
+		'.gif'
+	];
+
 	public function __construct($database, $plugins, $settings, $photoIDs) {
 
 		# Init vars
@@ -59,17 +71,19 @@ class Photo extends Module {
 
 		foreach ($files as $file) {
 
-			if ($file['type']!=='image/jpeg'&&
-				$file['type']!=='image/png'&&
-				$file['type']!=='image/gif')
-					continue;
+			# Verify extension
+			$extension = $this->getExtension($file['name']);
+			if (!in_array(strtolower($extension), $this->validExtensions, true)) continue;
 
+			# Verify image
+			$type = @exif_imagetype($file['tmp_name']);
+			if (!in_array($type, $this->allowedTypes, true)) continue;
+
+			# Generate id
 			$id = str_replace('.', '', microtime(true));
 			while(strlen($id)<14) $id .= 0;
 
 			$tmp_name	= $file['tmp_name'];
-			$extension	= array_reverse(explode('.', $file['name']));
-			$extension	= $extension[0];
 			$photo_name	= md5($id) . ".$extension";
 			$path		= LYCHEE_UPLOADS_BIG . $photo_name;
 
@@ -485,7 +499,8 @@ class Photo extends Module {
 		$photo	= $photos->fetch_object();
 
 		# Get extension
-		$extension = array_reverse(explode('.', $photo->url));
+		$extension = $this->getExtension($photo->url);
+		if ($extension===false) return false;
 
 		# Parse title
 		if ($photo->title=='') $photo->title = 'Untitled';
@@ -505,7 +520,17 @@ class Photo extends Module {
 
 	}
 
-	function setTitle($title) {
+	public function getExtension($filename) {
+
+		$extension = strpos($filename, '.') !== false
+			? strrchr($filename, '.')
+			: '';
+
+		return $extension;
+
+	}
+
+	public function setTitle($title) {
 
 		# Check dependencies
 		$this->dependencies(isset($this->database, $this->photoIDs));
@@ -527,7 +552,7 @@ class Photo extends Module {
 
 	}
 
-	function setDescription($description) {
+	public function setDescription($description) {
 
 		# Check dependencies
 		$this->dependencies(isset($this->database, $this->photoIDs));
@@ -584,7 +609,7 @@ class Photo extends Module {
 
 	}
 
-	function getPublic($password) {
+	public function getPublic($password) {
 
 		# Check dependencies
 		$this->dependencies(isset($this->database, $this->photoIDs));